Researchers steal 20GB of corporate emails via doppelganger domains

Typosquatting is a well-known phenomena on the Internet. Most users have – at one point or another – misspelled the URL of the site they wanted to visit and were sometimes faced with sites mimicking legitimate and popular ones in order to perpetrate a survey or a phishing scam.

But, according to two researchers from the Godai Group, there is a particularly easy-to-execute type of scheme that is likely already being perpetrated by individuals located in China. It consists of using so-called “doppelganger domains” and mail servers for intercepting emails sent by mistake to them.

151 of the Fortune 500 companies profiled by the two researchers are potentially vulnerable to this kind of attack, including IT companies such as Yahoo, Dell, Cisco, IBM, HP and IBM.

The main problem here is that almost all of those companies have regional subdomains that usually look something like this: xx.company.com (the “xx” stands for the top-level domain of the countries where the company is present).

As it turns out, people quite often make the mistake of omitting the first fullstop when writing emails in a hurry. That would not represent such a big problem if these destination addresses were non-existent, but when someone takes the trouble to register a doppelganger domain, set up a mail server for it and configure it to to receive all email addressed to it, he is able to harvest all the information contained in these messages, without the company or the sender being none the wiser.

And this is exactly what the researchers did. The result? “During a six‐month span, over 120,000 individual emails (or 20 gigabytes of data) were collected which included trade secrets, business invoices, employee PII, network diagrams, usernames and passwords, etc,” they say.

All that information, and they were basically doing nothing. But, as they point out, the possibilities don’t end here. The attackers can also execute a Man-in-the-MailBox (MITMB) type of attack.

The attackers receive the misdirected email, read it and send it to the correct email address. The recipient replies – quite likely by hitting on the “reply” button so that the response is delivered again to the doppelganger email address – and the attacker can again read it and forward it to the original sender.

If both of those individuals don’t notice their error, the attacker could very likely leverage the information gathered from those messages to stage a social engineering attack.

They also point out that these kind of attacks have probably been underway for a while. A number of doppelganger domains have already been set up by individuals that – judging by the domain registrant email information – are mostly (if not all) based in China.

But the worst part of it is that even though companies are aware that typosquatting can present a big problem, only one of the 30 companies for which the researchers have set up doppelganger domains have noticed them doing it and reacted appropriately.

In order to prevent these types of attacks, companies are advised to purchase and register the doppelganger domains and configure them so that the sender receives a bounced email notification when he misspells the address.

The researchers also urge them to check if doppelganger domains have already been purchased and move to file a Uniform Domain Dispute Resolution Policy if they have. The internal DNS can also be configured not to resolve doppelganger domains, so that company employees can’t send emails to them by mistake.

Finally, employees, customers and business partners can be apprised of the possibility of such attacks and be warned to be careful.